CN101150394A - User end extension method for subset difference/layered subset difference mechanism - Google Patents
User end extension method for subset difference/layered subset difference mechanism Download PDFInfo
- Publication number
- CN101150394A CN101150394A CNA2006101133311A CN200610113331A CN101150394A CN 101150394 A CN101150394 A CN 101150394A CN A2006101133311 A CNA2006101133311 A CN A2006101133311A CN 200610113331 A CN200610113331 A CN 200610113331A CN 101150394 A CN101150394 A CN 101150394A
- Authority
- CN
- China
- Prior art keywords
- key
- subset
- differential
- user
- expanded
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
This invention discloses an expading method for user terminals of a subset difference/hierarchical subset difference system including: setting up an expanded logic ciphered key tree with an expanded user terminal as the leaf node, merging the expanded tree with the original tree before expansion to form expanded ciphered key trees, distributing independent key labels for other sub-trees and nodes to set up a key system with unchanged key label and system of the original user terminal before expansion, setting up pre-distributed keys of the expanded user terminals with unchanged pre-distrubuted keys of the user terminals before expansion, encrypting M and setting up broadcast information transmitted in channels when transmiting tip to any subset of the user terminal, which analyzes and deciphers the broadcast information to get cleartext of M.
Description
Technical Field
The present invention relates to a method for securely transmitting a secret message to any Subset of user terminals over broadcast and multicast channels, and more particularly, to a method for extending a user terminal with a Subset Difference (SD)/Layered Subset Difference (LSD) mechanism.
Background
The broadcast encryption (broadcast encryption) technology refers to a key management distribution mechanism that can broadcast secret messages to any subset of large-scale users only by adopting a one-way channel without two-way handshake communication. The development of broadcast encryption mechanisms can be divided into: the method comprises two stages of a broadcast encryption mechanism based on a matrix type structure and a broadcast encryption mechanism based on a tree type structure. In 2001, d.naor, m.naor and Lotspiech jointly proposed a new tree-type broadcast encryption mechanism: subset Difference (Subset Difference) method, abbreviated NNL scheme or SD scheme. The mechanism compromises communication overhead and key overhead of a user side by adopting differential subset coverage, improves key distribution efficiency, and is suitable for an actual system. Halevi D and Shamir A propose a Layered Subset Difference (LSD) mechanism, and the number of keys needing to be safely stored at a user side is reduced and the key overhead is reduced by secondarily splitting a Difference Subset obtained by splitting an SD mechanism.
However, both the SD mechanism and the LSD mechanism establish a static logical key tree for all user terminals as leaf nodes to distribute the pre-distributed keys of the users, so that there is a problem that the user terminals cannot be expanded.
Disclosure of Invention
The invention aims to solve the problem that a user side cannot be expanded due to the fact that a user pre-distributed key is distributed on the basis of a static key tree in a subset difference/layered subset difference mechanism, and provides a user side expansion method of the subset difference/layered subset difference mechanism.
In order to achieve the above object, the present invention provides a method for extending a subscriber end of a subset difference/hierarchical subset difference mechanism, comprising the following steps:
1) Establishing an expanded logic key tree, namely an expanded tree, by taking all expanded user sides as leaf nodes;
2) Merging the expanded tree in the step 1) with an original key tree (original tree) of a system before expansion to construct an expanded user key tree;
3) The key label and the key system in the original key tree are unchanged, and independent key labels are distributed to other nodes and other subtrees to establish the key system;
4) The pre-distributed key of the system user side before expansion is unchanged, and the pre-distributed key of the expanded user side is a key label of a node hung on the way from a root node of the key system to a node corresponding to the user side in all key systems to which the user side belongs;
5) When the secret message M is transmitted to any subset S of the user side, the secret message M is encrypted, and a broadcast message transmitted in a channel is constructed;
6) The processing mechanism of the user side is as follows: and analyzing and decrypting the broadcast message according to the pre-distributed key to obtain a plaintext M of the secret message.
In the above technical solution, further, the broadcast message in the step 5) is composed of three parts: ciphertext M' splitting S into disjoint differential subsets S i,j A random key K encrypted by a differential key respectively; the method for constructing the broadcast message transmitted in the channel comprises the following steps: a secret message M is encrypted using a random key K to generate a ciphertext M', which is split into disjoint differential subsets S by S i,j The corresponding differential keys encrypt the random keys K, respectively.
Further, S is split into disjoint differential subsets S i,j The method of (5) comprises: and moving out the subtrees with the expanded user sides as leaf nodes step by step in the system key tree, and then splitting the subsets according to a subset difference/hierarchical subset difference mechanism.
Further, the method for processing the broadcast message by the user terminal u in step 6) includes: partially parsing the differential subset in the broadcast message to find a differential subset (m, n) such that u ∈ S m,n Wherein u represents a user terminal, and (m, n) represents a differential subset; then, S is calculated according to the pre-distributed key of the user side m,n And the corresponding differential key is used for decrypting the encrypted key part in the broadcast message to calculate a random key K, and finally, the random key K is used for decrypting the ciphertext M' in the broadcast message to obtain the plaintext of the secret message M.
Further, repeating the step 1) to the step 6), multiple extensions of the system user side can be performed.
Compared with the prior art, the invention has the advantages that:
1) The problem that the user side cannot be expanded by a subset difference/hierarchical subset difference mechanism is solved, and the user side of the system can be dynamically expanded in batches on the basis of not influencing the pre-distribution of keys and decryption processing of original users of the system;
2) The extension method of the invention is transparent to the original users of the system, and the original users of the system can not detect the existence of the extension users.
Drawings
Fig. 1 is a schematic diagram of a user key tree construction when a user side is extended;
FIG. 2 is a diagram of a method for splitting an arbitrary subset S into disjoint differential subsets S i,j The flow chart of.
FIG. 3 is a diagram of a split of an arbitrary subset S into disjoint differential subsets S i,j Schematic diagram of the method.
Detailed Description
The invention is described in further detail below with reference to the following figures and detailed description:
before describing the method of the present invention, a brief description of the subset difference/hierarchical subset difference mechanism will be given. The Subset Difference (SD) mechanism builds a key tree with all clients as leaf nodes, in which the node v i And v j (wherein, v i Is v j Ancestor node) using S i,j Denotes S i,j ={u|u∈S i ,u∉S j }。
An independent key system is defined and an independent key label is assigned for each sub-tree of the key tree. The key system is characterized in that in any key system, a node v is known i Can calculate all the descendant nodes v of the node j And a differential subset S i,j When the label of the corresponding differential key, but the ancestor node of a node, is unknown, the label of the node and the differential key are pseudo-random. Each user u can calculate the differential key corresponding to the differential subset to which all u belongs through the pre-distributed key stored by the user u, and the pre-distributed key of the user u is the label of the node hung on the path from the root node of the key system to the node corresponding to u in all the key systems to which the user belongs. Secure transmission of a secret message to an arbitrary subset S of the subscriber terminalsIt is only necessary to divide S into disjoint differential subsets, and encrypt and transmit the secret message with the differential keys corresponding to the differential subsets, respectively. The authorized user end calculates the differential key corresponding to the differential subset to which the authorized user end belongs according to the pre-distributed key stored by the authorized user end, and then the encrypted secret message can be decrypted by using the differential key to obtain the plaintext of the secret message. The LSD mechanism reduces the number of keys which need to be safely stored at a user side by secondarily splitting the differential subset obtained by the SD mechanism. Both the SD mechanism and the LSD mechanism are to establish a static logical key tree for all user terminals as leaf nodes to distribute the pre-distributed keys of the users, so that there is a problem of user terminal expansion, i.e. the regrowth of the static logical key tree.
The user-side extension method of the subset difference/hierarchical subset difference mechanism according to the present invention is described in further detail with reference to the accompanying drawings and the following detailed description.
When the system is initially established, namely before the user side is expanded, the server establishes and distributes the pre-distributed keys for all original users (the users before the expansion) according to the SD/LSD mechanism and encrypts and transmits secret messages.
When the user side is expanded, a user key tree and a pre-distributed key are constructed by combining an expansion tree and an original tree. Assuming that the system has expanded the user side T times (T is an integer greater than or equal to 0, and T =0 indicates that the system has not expanded the user side), and the system key tree is T at this time, the construction steps of the user key tree after expanding the user side T +1 th time are:
1) Establishing a complete logic key tree T' by taking all the expanded user sides as leaf nodes;
2) Combining the two key trees into a new logic key tree T 'by taking T as a left sub-tree and T' as a right sub-tree;
3) Keeping key systems and key labels of all subtrees and nodes in the T unchanged, distributing independent key labels for other nodes and other subtrees of the T', and establishing the key systems according to a key establishment mechanism of SD/LSD;
4) The pre-assigned key at the original user side is unchanged. And expanding the pre-distributed key of the user side to be the key label of the node hung on the path from the root node of the key system to the node corresponding to the user side in all the key systems to which the user side belongs.
After the user end is expanded for the T +1 th time, the user key tree of the system is the key tree T'.
And the server establishes a user key tree of the system by applying the method once every time the user side is expanded, and distributes the pre-distributed keys of the expanded user side. The pre-distributed key of the original user side is kept unchanged, and the decryption processing mechanism of the original user side is unchanged.
Taking the upper half (a) of fig. 1 as an example, when the system is initially established (t = 0), the user set is U 0 ={u 0,1 ,u 0,2 ,…,u 0,n1 The root node of the user key tree of the system is root 0 Tree T of 0 (represented by white nodes in the figure). When the end user is expanded for the first time, i.e. t =1, the user end set U is expanded 1 ={u 1,1 ,u 1,2 ,…,u 1,n1 Member establishes root node as root for leaf node pair 1 ' Key Tree T 1 ' (indicated by black nodes in the figure). Merging T 0 And T 1 ' get root node as root 1 Fruit bearing tree T 1 . Holding T 0 The key system and the key label in (1) are not changed and are T 1 Other nodes and other subtrees of the system assign independent key labels and establish a key system according to the SD/LSD mechanism, i.e. U 0 The pre-distributed key of the middle member is based on the key tree T 0 Established SD/LSD Pre-distribution Key, U 1 The pre-distributed key of the middle member is based on the key tree T 1 The established SD/LSD pre-distributes keys. By analogy, the user key tree constructed when t =2 is shown in the lower part (b) of fig. 1.
And when the secret message M is transmitted to any subset S of the user side, the secret message M is encrypted to construct a broadcast message transmitted in the channel. The subset differential/hierarchical subset of claim 1User terminal of differential mechanismAn extension method, characterized in that the method of construction of the broadcast message transmitted in the channel is: m is encrypted by a random key K to generate a ciphertext M', which is split into disjoint differential subsets { S }by S i,j K is encrypted respectively by the corresponding differential keys, and the broadcast message consists of three parts: ciphertext M', S is split into disjoint differential subsets S i,j And a key K encrypted with the differential key.
The process of the server to securely transmit the secret message M to any subset S of the user side is:
1. the server selects a random key K to encrypt the secret message M to generate a ciphertext M', and the encryption algorithm uses F k Is expressed as M' = F K (M);
2. Partitioning S into disjoint differential subsets in the user Key TreeAnd calculates { S } i,j Corresponding differential key of { L } i1,j1 ,…,L in,jn }。
3. Using said differential key { L i1,j1 ,…,L in,jn Encrypting and transmitting secret information encryption keys K respectively, wherein the encryption times are the number of the disjoint differential subsets, and an encryption algorithm uses E Differential key And (4) showing.
The server-constructed broadcast message is split into a differential subset S by the cryptograms M', S i,j And a secret key K encrypted by a differential secret key:<[(i 1 ,j 1 ),…,(i n ,j n ),E Li1,j1 (K),…,E Lin,jn (K)],F K (M)>。
in a system with t expanded users, U is used n (0. Ltoreq. N. Ltoreq.t) respectively represent the nth expanded user set (U) 0 Set of original users), T 0 Represents U n Corresponding user key tree (T) n V for the root node of n Representation), the server divides S into disjoint difference sub-SThe method of assembly is shown in FIG. 2: let T first n =T t ,v n =v t Then repeatedly executing the following operation steps from T n Removing the subtree and increasing the differential subset of split until the subtree T n V root node of n Is exactly T 0 V root node of 0 :
(1) If the key tree T n V root node of n Is not T 0 Root node v of 0 Then T will be n Left subtree T of n-1 Removal by T n-1 V root node of n-1 Is v n And v is n-1 Node marked as unauthorized, moving S out of T according to SD/LSD mechanism n-1 Key tree of (T) n Into disjoint differential subsets S i1 (n) ,…,S imn (n) The number of split subsets is m n 。
(2) When tree T n Root node v of n Is a set of original users U 0 Subtree T to which it belongs 0 Root node v of 0 According toSplitting method of SD/LSD mechanism for S in key tree T n Into disjoint differential subsets S i1 (0) …,S im0 (0) The number of split subsets is m 0 。
In a system that extends t users, the process by which the server divides S into disjoint differential subsets is shown in fig. 3. Respectively with L i1 (0) ,…,L im0 (0) ,…,L i1 (t) ,…,L imt (t) To represent S i1 (0) ,…,S im0 (0) ,…,S i1 (t) ,…,S imt (t) And if the differential key corresponds to the differential key, the broadcast message constructed by the server is as follows:
<[i 1 (0) ,…,i m0 (0) ,…,i 1 (t) ,…,i mt (t) ,E Li1 (0) (K),…,E Lim0 (0) (K),E Li1 (t) ,(K),…,E Limt (t) (K)],F K (M)>。
for the ue u, the received broadcast message is:
<i 1 (0) ,…,i m0 (0) ,…,i 1 (t) ,…,i mt (t) ,C 1 (0) ,…,C m1 (0) ,C 1 (t) ,…,C mt (t) ],M′>。
because the pre-distributed key of the original user side is not changed, the processing mechanism of the original user side is not changed, the user side u does not need to know whether the user side is the original user side or the expanded user side, and the processing mechanism is the same as that of the user side in the SD/LSD mechanism:
(a) The user side u analyzes the differential subset part in the broadcast message to find i j (n) So that
(when i cannot be found j (n) So that u belongs to S ij (n) If u is not in the set S of users authorized to receive the secret message, u completes the processing of the broadcast message and does not perform the following steps).
(b) I is calculated from the pre-distributed key stored on the user side u j (n) Corresponding differential key L ij (n) 。
(c) By pair C j And (3) decryption: d Lij (n) (C j ) The decryption key K for M' is calculated.
(d) By decrypting M' with the key K: d K (M') obtaining a private message M.
Since the server does not intersect the differential subsets into which the authorized user set is divided, u only belongs to one subset at most, that is, only one result can be obtained in the first step at most.
Finally, it should be noted that the above embodiments are only used for illustrating the technical solutions of the present invention and are not limited. Although the present invention has been described in detail with reference to the embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (5)
1. A user terminal extension method of subset difference/layered subset difference mechanism includes the following steps:
1) Establishing an expanded logic key tree by taking all expanded user sides as leaf nodes;
2) Combining the expanded logic key tree in the step 1) with the original key tree of the system before expansion to construct an expanded user key tree;
3) The key label and the key system in the original key tree are unchanged, and independent key labels are distributed to other nodes and other subtrees to establish the key system;
4) The pre-distributed key of the system user side before expansion is unchanged, and the pre-distributed key of the expanded user side is a key label of a node hung on the way from a root node of the key system to a node corresponding to the user side in all key systems to which the user side belongs;
5) When the secret message M is transmitted to any subset S of the user side, the secret message M is encrypted, and a broadcast message transmitted in a channel is constructed;
6) The processing mechanism of the user side is as follows: and analyzing and decrypting the broadcast message according to the pre-distributed key to obtain the plaintext of the secret message M.
2. The method for client side extension of the subset difference/hierarchical subset difference mechanism in claim 1, wherein the broadcast message transmitted in the channel in step 5) consists of three parts: ciphertext M' toSaid arbitrary subset S is split into disjoint differential subsets S i,j A random key K encrypted with a differential key, respectively; the construction method of the broadcast message comprises the following steps: a secret message M is encrypted using a random key K to generate a ciphertext M', which is split into disjoint subsets of differences S i,j The corresponding differential keys encrypt the random keys K, respectively.
3. The method of claim 2, wherein S is split into disjoint differential subsets { S } i,j The method of (5) comprises: and gradually moving out the subtree of which the expanded user side is a leaf node each time in the system key tree, and then splitting the subset according to a subset difference/layered subset difference mechanism.
4. The method for expanding the user end of the subset difference/hierarchical subset difference mechanism according to claim 1, 2 or 3, wherein the method for processing the broadcast message by the user end in step 6) comprises: partially parsing the differential subset in the broadcast message to find a differential subset (m, n) such that u ∈ S m,n Wherein u represents the user terminal, and (m, n) represents the differential subset; then, S is calculated according to the pre-distributed key of the user side m,n The corresponding differential key is used for decrypting the encrypted key part in the broadcast message to calculate a random key K, and finallyAnd then, the random key K is used for decrypting the ciphertext M' in the broadcast message to obtain the plaintext of the secret message M.
5. The method for client-side expansion of the subset difference/hierarchical subset difference mechanism according to claim 1, further comprising: and repeating the step 1) -the step 6) to realize multiple expansion of the system user side.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610113331A CN101150394B (en) | 2006-09-22 | 2006-09-22 | User end extension method for subset difference/layered subset difference mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610113331A CN101150394B (en) | 2006-09-22 | 2006-09-22 | User end extension method for subset difference/layered subset difference mechanism |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101150394A true CN101150394A (en) | 2008-03-26 |
| CN101150394B CN101150394B (en) | 2010-05-12 |
Family
ID=39250750
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610113331A Expired - Fee Related CN101150394B (en) | 2006-09-22 | 2006-09-22 | User end extension method for subset difference/layered subset difference mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101150394B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102394744A (en) * | 2011-11-10 | 2012-03-28 | 香港应用科技研究院有限公司 | System of using broadcast encryption to carry out content distribution and method thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6263435B1 (en) * | 1999-07-06 | 2001-07-17 | Matsushita Electric Industrial Co., Ltd. | Dual encryption protocol for scalable secure group communication |
-
2006
- 2006-09-22 CN CN200610113331A patent/CN101150394B/en not_active Expired - Fee Related
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102394744A (en) * | 2011-11-10 | 2012-03-28 | 香港应用科技研究院有限公司 | System of using broadcast encryption to carry out content distribution and method thereof |
| CN102394744B (en) * | 2011-11-10 | 2014-04-16 | 香港应用科技研究院有限公司 | System of using broadcast encryption to carry out content distribution and method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101150394B (en) | 2010-05-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Snoeyink et al. | A lower bound for multicast key distribution | |
| CA2477571C (en) | Key management protocol | |
| US7328343B2 (en) | Method and apparatus for hybrid group key management | |
| Kumar et al. | A computationally efficient centralized group key distribution protocol for secure multicast communications based upon RSA public key cryptosystem | |
| Hsu et al. | A novel group key transfer for big data security | |
| CN101150395A (en) | A L4 encryption method of double group of encrypted authorization management system | |
| CN114362928B (en) | Quantum key distribution and reconstruction method for multi-node encryption | |
| Kumar et al. | A secure and robust group key distribution and authentication protocol with efficient rekey mechanism for dynamic access control in secure group communications | |
| US20100174899A1 (en) | Data distribution system, key management device, and key management method | |
| FU et al. | Secure personal data sharing in cloud computing using attribute-based broadcast encryption | |
| KR100509233B1 (en) | Method and apparatus for multicast group key management | |
| US8249258B2 (en) | Communication method and communication system using decentralized key management scheme | |
| Bodur et al. | Implementing Diffie-Hellman key exchange method on logical key hierarchy for secure broadcast transmission | |
| Pareek et al. | Provably secure group key management scheme based on proxy re-encryption with constant public bulletin size and key derivation time | |
| Huang et al. | New constructions on broadcast encryption key pre-distribution schemes | |
| CN101150394A (en) | User end extension method for subset difference/layered subset difference mechanism | |
| CN101052001B (en) | System and method for secure sharing of P2P network information | |
| Li et al. | Incremental Threshold Scheme Enabled IoT Group Key Management | |
| Wang et al. | Balanced double subset difference broadcast encryption scheme | |
| Xu et al. | Multiway tree-based group key management using Chinese remainder theorem for multi-privileged group communications | |
| Thomas et al. | A novel decentralized group key management using attribute based encryption | |
| Karuturi et al. | Foundations of group key management–framework, security model and a generic construction | |
| Huai et al. | CGKDP: Concurrent Group Key Distribution Protocol | |
| Rekha et al. | Simple Hash Based Symmetric Encryption Mechanism for Dynamic Groups. | |
| CN114095160A (en) | Unlimited revocable attribute-based encryption method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100512 Termination date: 20110922 |